The NIS2 Directive is an EU directive that strengthens the cyber re­si­li­ence of European member states and companies through stricter rules. It covers the im­ple­ment­a­tion of security measures for improved IT pro­tec­tion, as well as security checks and fast reporting channels for cy­ber­se­cur­ity incidents. Even though the UK is not im­ple­ment­ing the directive as they’re no longer bound by EU le­gis­la­tion, it is a good idea to know about it if you do business within the EU.

Free DNS hosting in the UK
Reduce page loading speeds with free DNS
  • Faster domain res­ol­u­tion to keep you online longer
  • Added pro­tec­tion against outages and downtime
  • UK-based name servers
  • No domain transfer needed

What is the NIS2 Directive?

The European Union’s NIS2 Directive aims to improve re­si­li­ence against cy­ber­se­cur­ity threats in essential and important in­fra­struc­tures of the member states. The ab­bre­vi­ation NIS2 stands for ‘Network and In­form­a­tion Security 2’. When it came into force on January 16th, 2023, it replaced the previous NIS1 directive, which had already prompted a shift in how to approach IT security.

To ensure maximum pro­tec­tion in both the private and public sectors of EU member states, the new NIS2 Directive in­tro­duces more com­pre­hens­ive and stricter rules for a wider target group. In this way, the new rules are intended to ensure greater cyber re­si­li­ence and more effective action against cy­ber­se­cur­ity threats and security breaches. NIS2 also aims to ensure that essential in­sti­tu­tions that supply the pop­u­la­tion with vital goods or services are protected against outages and dis­rup­tions in the event of a crisis.

The main objective of NIS2 is to better prepare companies against cy­ber­at­tacks and to respond ef­fi­ciently and quickly to IT dis­rup­tions. A more con­sist­ent security strategy in the EU member states should therefore create the highest possible cy­ber­se­cur­ity at both national and in­ter­na­tion­al levels in the EU area. All member states must transpose the directive into national law, which affects large companies and small and medium-sized en­ter­prises that fall under the new reg­u­la­tions.

What does the NIS2 Directive change?

The ob­lig­a­tion to implement the NIS2 Cy­ber­se­cur­ity Strength­en­ing Directive (NIS2UmsuCG) entails far-reaching changes in 18 different sectors. Among other things, more than twice as many sectors are clas­si­fied as essential and the list of fines for non-com­pli­ance has been tightened. In addition, managing directors will also be held ac­count­able.

In Germany, Spain, Italy and France, for example, the NIS2 Directive will impact thousands of companies. In Germany, up to 40,000 companies will need to comply with the new directive and in Italy, around 50,000 companies. In Spain, ap­prox­im­ately 25,000 companies will be subject to the new directive, while in France, over 10,000 entities will be affected.

Here’s an overview of all the changes brought about by the NIS2 Directive:

  • Expansion of the sphere of essential areas: NIS2 clas­si­fies even more sectors as essential.
  • Stricter penalties: The directive sig­ni­fic­antly increases fines for vi­ol­a­tions
  • Executive re­spons­ib­il­ity: Ex­ec­ut­ives now have direct re­spons­ib­il­ity for cy­ber­se­cur­ity com­pli­ance.
  • Extended areas of ap­plic­a­tion: The NIS2 Directive applies to companies with more than 50 employees or a turnover of more than 10 million euros and to some companies re­gard­less of their size.
  • Need for com­pre­hens­ive risk analyses: Companies have a duty to carry out thorough risk analyses.
  • Required risk and safety man­age­ment: Strict re­quire­ments apply to risk man­age­ment and security measures. Various pro­tect­ive measures such as pen­et­ra­tion tests, hardware firewalls, and backup strategies are mandatory.
  • Ob­lig­at­ory crisis man­age­ment: Rapid and effective crisis man­age­ment strategies, com­mu­nic­a­tion channels and reporting systems are required in the event of security incidents.
  • Use of existing security protocols: Companies can use existing security standards from regulated in­dus­tries as a reference.
MyDe­fend­er
Safeguard your data with easy cyber security
  • Regular virus scans
  • Automatic backups and simple file recovery

Who is affected by the NIS2 Directive?

NIS2 dis­tin­guishes between companies in the expanded essential category and the important category, which is com­pletely new. Companies with more than 50 employees or an annual turnover of 10 million euros or more are directly affected. In addition, companies can also fall under NIS2 re­gard­less of their size if their failure results in systemic risks. The ‘essential’ category comprises companies from eleven sectors, including, in par­tic­u­lar, critical in­fra­struc­ture companies that are vital for gov­ern­ment and society. The ‘important’ category in turn applies to seven sectors that are sys­tem­ic­ally important.

Essential sectors and companies

  • Energy
  • Water supply
  • Transport
  • Banking
  • Financial market in­fra­struc­tures
  • Health­care
  • Space
  • Sewage
  • Public ad­min­is­tra­tion
  • Digital in­fra­struc­ture
  • ICT service man­age­ment (B2B)

Important sectors and companies

  • Postal and courier services
  • Waste
  • Chemical industry
  • Food supply
  • Digital service providers
  • Industry (pro­cessing / man­u­fac­tur­ing)
  • Research (optional)

What ob­lig­a­tions apply to companies?

As part of NIS2, companies are subject to strict ob­lig­a­tions and sig­ni­fic­ant changes. These include:

Ob­lig­a­tions Measures
Risk man­age­ment and business con­tinu­ity man­age­ment (§30, 31) En­cryp­tion, multi-factor au­then­tic­a­tion, cryp­to­graphy, cyber hygiene, role as­sign­ment and access control, backup man­age­ment and system recovery, supply chain security and risk analyses are mandatory. The minimum re­quire­ments vary depending on the size of the company thanks to the ‘size cap’ rule.
Reporting and no­ti­fic­a­tion ob­lig­a­tions (§32, 35) Sig­ni­fic­ant security incidents must be reported to the au­thor­it­ies within 24 hours. Initial as­sess­ments must be available after 72 hours. A detailed final report is required within one month.
Re­gis­tra­tion ob­lig­a­tions (§33, 34) Affected or­gan­isa­tions and domain name registry service providers must submit in­form­a­tion to the re­spons­ible au­thor­it­ies no later than three months after NIS2 comes into force. If the re­gis­tra­tion ob­lig­a­tion is not fulfilled, it can also be fulfilled by a CSIRT (Computer Security Incident Response Team).
Approval, mon­it­or­ing and training ob­lig­a­tions for managing directors (§38) Del­eg­a­tion of safety measures by man­age­ment is no longer suf­fi­cient. Man­age­ment must actively approve necessary measures and is partially obliged to provide training.
Su­per­vis­ory and en­force­ment measures (§61, 62) One of the CSIRTs is expected to act as the su­per­vis­ory authority for com­pli­ance with the required measures. At the earliest, three years after NIS2 comes into force, the su­per­vis­ory authority has the option to request evidence of com­pli­ance with the ob­lig­a­tions. Measures can be ordered in the event of imminent danger.

In order to comply with your ob­lig­a­tions as an affected company at an early stage, you should carry out the following measures:

  • ACTUAL and TARGET analysis: Check whether you are affected by the NIS2 ob­lig­a­tions and determine the status quo of your company’s cyber re­si­li­ence as well as potential areas for im­prove­ment.
  • Im­ple­ment­a­tion: Risk analysis and security concepts must be in­tro­duced for all in­form­a­tion systems.
  • Eval­u­ation: The ef­fect­ive­ness of your company’s own risk man­age­ment methods should be reviewed regularly.
  • Creation: De­vel­op­ing a concept for dealing with security incidents is ob­lig­at­ory.
  • Backup and crisis man­age­ment: Measures for data backup and crisis man­age­ment must be im­ple­men­ted.
  • Reporting system: An effective reporting system for security incidents should be es­tab­lished.
  • Training: Employees must be trained regularly.
  • Security of the supply chain: Security in the supply chain must be ensured.

What happens if NIS2 is not im­ple­men­ted?

Companies that do not implement the pre­scribed measures can expect to face sub­stan­tial fines (§65). In ac­cord­ance with NIS2, the su­per­vis­ory au­thor­it­ies are given com­pre­hens­ive su­per­vis­ory, control and in­struc­tion powers including the en­force­ment of deadlines. In addition, managing directors assume sig­ni­fic­antly more re­spons­ib­il­ity for pro­tec­tion and security measures and can be held per­son­ally liable in the event of vi­ol­a­tions or neg­li­gence (§38, §61).

When does the NIS2 Directive come into force?

On December 14th, 2022, the European Par­lia­ment and the Council adopted Directive (EU) 2022/2555, known as the NIS2 Directive. It in­tro­duces extensive changes to the eIDAS Reg­u­la­tion (EU) No. 910/2014 and the EECC Directive (EU) 2018/1972. It of­fi­cially came into force on January 16th, 2023, replacing the NIS Directive. It must be trans­posed into national law by all EU member states by October 17th, 2024.

In different countries, different au­thor­it­ies are re­spons­ible for leading the im­ple­ment­a­tion of the directive. For example, in France, ANSSI (National Agency for In­form­a­tion System Security) is leading the im­ple­ment­a­tion efforts, and has even launched Mon Espace NIS 2, a digital service aimed at sup­port­ing entities in im­ple­ment­ing the directive. The BSI (Federal Office for In­form­a­tion Security) is the re­spons­ible authority in Germany, and in Spain, the CCN-CERT (National Crypto­lo­gic Center) oversees cy­ber­se­cur­ity measures and ensures com­pli­ance.

Go to Main Menu